Based on a global survey of 476 information technology and security professionals located in more than 50 countries, the 2014 State of Risk Report from Trustwave offers benchmarks by which IT and security professionals can compare their risk stance against their peers. Data from the report can also be used to inform senior leadership about the largest threats they are facing, gaps that need filling and how they can remediate weaknesses and improve their security posture.
Key findings from the 2014 State of Risk Report include:
• Data is the lifeblood of business: 81 percent of businesses store and process financial data, 71 percent store intellectual property and 47 percent store payment card data.
• High level executives are only somewhat involved: 45 percent of businesses have board- or senior-level management who take only a partial role in security matters; 9 percent do not partake at all.
• Sensitive data may be off the radar: 63 percent of businesses do not have a fully mature method to control and track sensitive data, while 19 percent do not have one at all. Additionally less than half (49 percent) fully encrypt stored sensitive data, with 51 percent only partially or not at all.
• If they’re breached, they don’t know what to do: 21 percent of businesses do not have incident response procedures in place; 20 percent of businesses do not have a process that enables the reporting of security incidents.
• They understand legal implications but fail to take action: 60 percent of businesses are fully aware of their legal responsibilities in safeguarding sensitive data, yet 21 percent never perform security awareness training, 23 percent never hold security planning meetings and 24 percent do not have employees that read and sign their businesses’ information security policy.
• They do not know where their valuable data lives: 33 percent of businesses have not commissioned a risk assessment to identify where their valuable data lives and what controls – if any – are in place to protect it.
• Assumptions about third-party providers’ security controls: 58 percent of businesses use third-parties to manage sensitive data, yet almost half (48 percent) do not have a third party management program in place.
• They lack patch management programs: 58 percent of businesses do not have a fully mature patch management process in place, and 12 percent do not have a patch management process in place at all.
“Businesses must look at security as a business-as-usual imperative,” said Michael Aminzade, vice president of Global Compliance & Risk Services at Trustwave. “Understanding their risk level is the first step. By identifying their largest security shortfalls and rectifying them, businesses can stay ahead of the criminals and decrease their risk of getting breached.”
A third-party firm conducted the survey on behalf of Trustwave. The 476 respondents were information technology and security professionals primarily based in the United States, United Kingdom and United Arab Emirates. Respondents were spread across a wide variety of industry sectors, primarily consisting of technology, financial services and business services. Three-quarters of respondents came from small and midsized businesses with up to 1,000 employees.
